Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 00:15
Behavioral task
behavioral1
Sample
c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll
-
Size
899KB
-
MD5
4c14034e97d48b625eae6c2a1ade45d3
-
SHA1
6c7d1bfdf006e670dbca86a7479271aafbdcec47
-
SHA256
c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62
-
SHA512
5179dd2e0711c77b2d2e2ab5a0e75c9e03b81adf5e3e3bc9770ab5fa1c5c9e0febcdc93a8d43321f567e4a2f29ee2d68552c5025800e83def554ab1269493b1c
-
SSDEEP
24576:7V2bG+2gMir4fgt7ibhRM5QhKehFdMtRj7nH1PXM:7wqd87VM
Malware Config
Extracted
Family
gh0strat
C2
hackerinvasion.f3322.net
Signatures
-
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2336-0-0x0000000010000000-0x000000001014F000-memory.dmp family_gh0strat -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2336 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2336 3048 rundll32.exe 28 PID 3048 wrote to memory of 2336 3048 rundll32.exe 28 PID 3048 wrote to memory of 2336 3048 rundll32.exe 28 PID 3048 wrote to memory of 2336 3048 rundll32.exe 28 PID 3048 wrote to memory of 2336 3048 rundll32.exe 28 PID 3048 wrote to memory of 2336 3048 rundll32.exe 28 PID 3048 wrote to memory of 2336 3048 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9af18cf58d7d0a21430f7e601c01c4ae95d54d340a10877f090c435e0be6a62.dll,#12⤵
- Suspicious behavior: RenamesItself
PID:2336
-